Pass for iOS

If you have a GPG keypair, believe in using strong passwords and are paranoid (don’t trust password management tools), then pass is the tool for you. I’ve been using it for so long that I can’t remember when I started using it and I have to say, I really like it.

Pass is a FOSS tool that lets you roll your own password management tool-chain and if that sounds hard, it’s not. It works by storing your password, security questions etc in version controlled plain text files and encrypting them using your keys. You then clone your passwords repo and copy your GPG keys to the devices which you would like to access your passwords on.

Pass is a FOSS that lets you roll your own password management tool-chain.

A known downside of pass is that it leaks metadata. The workaround to this is storing all your passwords in a single file. Guys in the ##crypto on Freenode also recommend keepassxc.

A short overview of pass:

Have a GPG keypair and (not required but a really good idea) a hosted version control system.

However, this isn’t a post about pass; it’s about how to use pass on iOS and there’s a tool, pass for iOS, that does that. Assuming you’re already a pass user the question is how to get pass working on your iPad, iPhone or whatever.

How do we transfer our SSH and GPG keys?

I think the easiest way would be via iTunes but that doesn’t feel right at all. Why would I trust a 3rd party server with my private key?

What I decided to go with is a tool, asc-key-to-qr-code-gif, that converts converts ASCII (amored for GPG) keys to QR codes and then I scan those QR codes on Pass for iOS. It’s all open source tools and no 3rd party servers involved. Tell me what you think about this “convert your keys to QR code” business via a tweet.

It’s all open source tools and no 3rd party servers involved.

Setup and installing dependencies

First, I had to install some dependencies via homebrew. I felt it important to install zbar in case there were any errors during QR code generation.

Export your GPG keys into ASCII armored files

Generate and scan the GPG gifs:

SSH

I prefer to have different SSH keys for different devices that way it’s easy to revoke access for different devices. Moreover, using ed25519 keys on phones often fails because of the versions of OpenSSH they ship with so I just go with RSA which is the default anyway. In this case it even had to be PEM due to the version of GitSSH on iOS. Based on the Supported Unsupported Key Algorithms wiki page and issue 218, generate device keys with: